In response to the firestorm over its DRM on CDs, Sony made available last week a Web-based “uninstaller” to remove it. It appears this cure is worse than the disease.
Matti Nikki of Finland was the first to figure out just what the uninstaller was doing. It seems the uninstaller puts an ActiveX control called CodeSupport on the target machine even before the uninstall URL can be obtained.
The control is marked “safe for scripting” and remains this way on the machine even after the uninstall process is concluded.
What this means is that any remote user can use the methods of this control to do anything.